GRI

ICS Advisory: Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch

News Cybersecurity English Guidance
Date: 5th Oct, 2023 Source: Cybersecurity and Infrastructure Security Agency Country: USA Original Source

Brief

Summary:

A vulnerability report from Mitsubishi Electric regarding their CC-Link IE TSN Industrial Managed Switch products, specifically the NZ2MHG-TSNT8F2 and NZ2MHG-TSNT4 models.

The report highlights two vulnerabilities:

1. Observable Timing Discrepancy (CVSS score 5.9): An attacker can decrypt ciphertext and disclose sensitive information by sending specially crafted packets, potentially using a Bleichenbacher-style attack.
2. Double Free (CVSS score 6.5): An attacker can cause a denial-of-service (DoS) condition by leading a legitimate user to import a malicious certificate.

The report recommends mitigations to minimize the risk of exploitation, including using a VPN, restricting physical access, and implementing proper access permissions. CISA also recommends implementing defensive measures, such as minimizing network exposure and isolating control systems behind firewalls.

Relevant Information:

CVSS scores: 5.9 and 6.5
 Vendor: Mitsubishi Electric
Affected products: CC-Link IE TSN Industrial Managed Switch (NZ2MHG-TSNT8F2 and NZ2MHG-TSNT4)
 Potential impacts: Disclosure of sensitive information and denial-of-service (DoS) condition

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 6.5
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Mitsubishi Electric
  • Equipment: CC-Link IE TSN Industrial Managed Switch
  • Vulnerabilities: Observable Timing Discrepancy, Double Free

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in disclosure of information stored in the product by sending specially crafted packets or could cause a denial-of service (DoS) condition by getting a legitimate user to import a specially crafted certificate

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric products are affected:

  • CC-Link IE TSN Industrial Managed Switch, model NZ2MHG-TSNT8F2 NZ2MHG-TSNT4: All versions

3.2 Vulnerability Overview

3.2.1 OBSERVABLE TIMING DISCREPANCY CWE-208

An attacker could decrypt ciphertext and disclose sensitive information by sending specially crafted packets and performing a Bleichenbacher style attack.

CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.2 DOUBLE FREE CWE-415

An attacker could cause a denial-of-service (DoS) condition on the product by leading a legitimate user to import a malicious certificate.

CVE-2022-4450 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this these vulnerabilities to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends that customers take the following mitigations to minimize the risk of exploitation of these vulnerabilities:

  • When internet access is required, use a virtual private network (VPN) or other means to prevent unauthorized access.
  • Use the products within a LAN and block access from untrusted networks and hosts.
  • Restrict physical access to your computer and network equipment on the same network.
  • After you log into NZ2MHG-TSNT8F2 or NZ2MHG-TSNT4 with the web interface, change user name and password from default setting at [Account Management] displayed on the function menu. Also, set the proper access permissions for the users.

For specific update instructions and additional details see Mitsubishi Electric advisory 2023-011.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • October 5, 2023: Initial Publication

Highlights content goes here...

Summary:

Vulnerability:

The Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch, models NZ2MHG-TSNT8F2 and NZ2MHG-TSNT4, has been found to have two critical vulnerabilities: an Observable Timing Discrepancy (CWE-208) and a Double Free (CWE-415). These vulnerabilities could allow an attacker to exploit the system remotely with low attack complexity.

Risk Evaluation:

Successful exploitation of these vulnerabilities could result in the disclosure of sensitive information stored in the product or cause a denial-of-service (DoS) condition by leading a legitimate user to import a malicious certificate.

Technical Details:

The affected products are all versions of the CC-Link IE TSN Industrial Managed Switch. The Observable Timing Discrepancy vulnerability (CVE-2022-4304) has a CVSS v3 base score of 5.9, while the Double Free vulnerability (CVE-2022-4450) has a base score of 6.5.

Background:

The affected product is used in critical infrastructure sectors, including critical manufacturing, and has been deployed worldwide. The company headquarters is located in Japan.

Mitigations:

Mitsubishi Electric recommends the following mitigations to minimize the risk of exploitation:

1. Use a virtual private network (VPN) or other means to prevent unauthorized access when internet access is required.
2. Use the products within a LAN and block access from untrusted networks and hosts.
3. Restrict physical access to your computer and network equipment on the same network.
4. Change the default user name and password and set proper access permissions for users after logging into the system.
5. Use specific update instructions and additional details provided by Mitsubishi Electric.

Additional Guidance:

CISA also recommends the following measures to minimize the risk of exploitation:

1. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
2. Locate control system networks and remote devices behind firewalls and isolating them from business networks.

Update History:

The vulnerability was initially published on October 5, 2023.

No Public Exploitation:

At the time of publication, there were no known public exploits specifically targeting these vulnerabilities.

Cybersecurity and Infrastructure Security Agency

Quick Insight
RADA.AI
RADA.AI
Hello! I'm RADA.AI - Regulatory Analysis and Decision Assistance. Your Intelligent guide for compliance and decision-making. How can i assist you today?
Suggested
Related Documents
Maintenance of Good Practice Certificate Queries
Date: 4th Feb, 2025 Source: National Health Surveillance Agency (Anvisa) Country: Brazil
News Healthcare & Pharma Guidance
Are your organisation’s edge devices secure?
Date: 5th Feb, 2025 Source: Australian Cyber Security Centre (ACSC) Country: Australia
News Cybersecurity Guidance
How EASA certified Safran’s ENGINeUS 100 electric engine
Date: 4th Feb, 2025 Source: European Union Aviation Safety Agency (EASA) Country: European Union
News Aviation & Aerospace Guidance

Form successfully submitted. One of our GRI rep will contact you shortly

Thanking You!

Click here

Enter your Email

Enter your registered username/email id.

Enter your Email

Enter your email id below to signup.

Enter your Email

Enter your email id below to signup.
Individual Plan
  • Designed for Growing Compliance Teams
$125 / month OR $1250 / year
Features
  • • Coverage for 20 jurisdictions
  • • Monitoring from 500+ regulatory authorities
  • • AI compliance summaries
  • • RaDa.ai : Single-Role
Best for: Researchers, Legal professionals, Academics
Subscribe Now
Enterprise Plan
  • Perfect for Global Enterprises
Contact for Pricing
Features
  • • Custom jurisdictional coverage
  • • Custom monitoring of regulatory authorities
  • • RaDa.ai : Customizable multi-role
  • • Custom reporting and dashboard capabilities
  • • API access for seamless integration
Best for: Law Firms, Corporations, Government Bodies
Contact Sales